14

Wish to get more understanding on the use of kinit and keytab file. For example, if I already have a keytab file generated for a service ( the service registered to active directory by ktpass -mapuser to someuseraccount )

ktab -k "mykeytab" -a <someprincipal>

what really happens under the hood when a user called USERA logs in to Windows and use this keytab as a input parameter for kinit?

kinit -k -t "mykeytab" <someprincipal>

Does the kinit generate initial credentials for someprincipal or for the currently logged in USERA ?

Hope you can clear up this confusion of mine. thanks

John R Smith
  • 848
  • 7
  • 18
dorothy
  • 1,213
  • 5
  • 20
  • 35

1 Answers1

18

This is glossing over many important details, but basically all you ever get from the KDC is an encrypted blob.

The kerberos KDC does not store your password, but a secret key. When you kinit what is going on under the covers is that you are asking the KDC for a ticket to ask for more kerberos tickets, it encrypts that ticket with your secret key.

If you know your secret key, you can unencrypt the blob and use that to access other services.

When you kinit with a password, kerberos uses a "string to key" algorithm to convert your password to the secret key used by the KDC. A keytab is just means for storing the secret key in a local file.

So when you kinit using a keytab, it uses the key in the keytab to decrypt the blob. As far as the kerberos protocol is concerned there really is no difference between using a keytab to kinit and using a password. Both ultimately use the same secret key to decrypt the ticket.

So after you use the keytab for kinit, you have a kerberos ticket of the principal in the keytab. A keytab used with kinit can be thought of as storing a password in a file.

Fred the Magic Wonder Dog
  • 8,889
  • 1
  • 26
  • 32
  • thanks. can i confirm with you. for the above, if USERA used kinit with the keytab file, the credential file `krb5cc_USERA` that is created is a ticket of `someuserprincipal` right ? How do i use this ticket for authentication if USERA wants to use the service? Do i use JAAS (`krb5loginmodule`) with `useKeytab` option and KDC will know its from `USERA`? – dorothy Aug 11 '14 at 23:56
  • Sorry, I can't figure out what you are asking. Are you asking about using a keytab for a service ( the standard usage )? – Fred the Magic Wonder Dog Aug 12 '14 at 00:05
  • hi, i have the original question here. http://stackoverflow.com/questions/25183113/how-does-keytab-work-exactly. I just don't understand what happens next after I call `LoginContext's` `login()` Method. LoginContext taken from Java's JAAS http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html – dorothy Aug 12 '14 at 07:34